Re: [LTP] [PATCH] thp testcase come from CVE reproducer

[Han Pingtian <phan@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 3496 bytes --]

I have updated the patch based on your suggestions. Please review.

Thanks.

Han Pingtian
On Wed, Apr 06, 2011 at 11:57:51PM -0700, Garrett Cooper wrote:
> I'm going to be more anal retentive with this review than I was previously.
> 
> On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote:
> > This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
> > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
> >
> > "Transparent hugepages can only be created if rmap is fully
> > functional. So we must prevent hugepages to be created while
> > is_vma_temporary_stack() is true."
> >
> > When running in a loop, it can trigger panic like this, if kernel
> > unpatched:
> >
> > kernel BUG at mm/huge_memory.c:1260!
> > invalid opcode: 0000 [#1] SMP
> > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
> 
> ...
> >
> > So I recommend to run it as 'thp01 -I xxx'.
> > +static option_t options[] = {
> > +       {NULL, NULL, NULL}
> > +};
> > +
> > +static void usage(void)
> > +{
> > +    return;
> > +}
> > +
> > +int main(int argc, char **argv) {
> > +       int i, lc, st;
> > +       pid_t pid;
> > +       char *msg;
> > +       char *c[257];
> > +       char cc[32*4096];
> > +       struct rlimit rl = {
> > +               .rlim_cur =RLIM_INFINITY,
> > +               .rlim_max=RLIM_INFINITY,
> > +       };
> > +
> > +       msg = parse_opts(argc, argv, options, usage);
> > +       if (msg != NULL)
> > +               tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
> > +
> > +       for (lc = 0; TEST_LOOPING(lc); lc++) {
> > +               switch (pid = fork()) {
> > +                       case -1:
> > +                               tst_brkm(TBROK|TERRNO, NULL, "fork");
> > +                       case 0:
> > +                               memset(cc, 'c', 32*4096-1);
> > +                               for (i=0;i<256;i++)
> > +                                       c[i] = cc;
> > +                               if (setrlimit(RLIMIT_STACK, &rl) == -1)
> > +                                       tst_brkm(TBROK|TERRNO, NULL, "setrlimit");
> > +                               if (execve("/bin/true", c, c) == -1)
> > +                                       tst_brkm(TBROK|TERRNO, NULL, "execve");
> 
> I would just do perror("execve"), etc, because this is a child process
> and according to the style guide you shouldn't use tst_resm in child
> processes (I recommended that in the style guide for a very good
> reason that you should understand).
> 
> > +                       default:
> > +                               if (waitpid(pid, &st, 0) == -1)
> > +                                       tst_brkm(TBROK|TERRNO, NULL, "waitpid");
> > +
> > +                               if (! WIFEXITED(st))
> > +                                       tst_brkm(TBROK, NULL, "child exit status is %d", WEXITSTATUS(st));
> 
> I agree with what Cyril said before about whitespace.
> 
> ...
> 
> -Garrett
> 
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Ltp-list mailing list
> Ltp-list@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ltp-list

[-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --]
[-- Type: text/plain, Size: 5727 bytes --]

From 0e226273edd93e50afdf5d698bfc000cc9823a8c Mon Sep 17 00:00:00 2001
From: Han Pingtian <phan@redhat.com>
Date: Fri, 25 Feb 2011 17:51:24 +0800
Subject: [PATCH] thp testcase come from CVE reproducer

This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:

"Transparent hugepages can only be created if rmap is fully
functional. So we must prevent hugepages to be created while
is_vma_temporary_stack() is true."

When running in a loop, it can trigger panic like this, if kernel
unpatched:

kernel BUG at mm/huge_memory.c:1260!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
....

So I recommend to run it as 'thp01 -I xxx'.

Signed-off-by: Han Pingtian <phan@redhat.com>
---
 runtest/mm                        |    2 +
 testcases/kernel/mem/thp/Makefile |   23 ++++++++
 testcases/kernel/mem/thp/thp01.c  |  102 +++++++++++++++++++++++++++++++++++++
 3 files changed, 127 insertions(+), 0 deletions(-)
 create mode 100644 testcases/kernel/mem/thp/Makefile
 create mode 100644 testcases/kernel/mem/thp/thp01.c

diff --git a/runtest/mm b/runtest/mm
index f2d50d6..dded529 100644
--- a/runtest/mm
+++ b/runtest/mm
@@ -78,3 +78,5 @@ oom01 oom01
 oom02 oom02
 oom03 oom03
 oom04 oom04
+
+thp01 thp01 -I 600
diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile
new file mode 100644
index 0000000..dbfbc1b
--- /dev/null
+++ b/testcases/kernel/mem/thp/Makefile
@@ -0,0 +1,23 @@
+#
+#  Copyright (C) 2010  Red Hat, Inc.
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or (at
+#  your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+#  02110-1301, USA.
+#
+
+top_srcdir              ?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c
new file mode 100644
index 0000000..4c94031
--- /dev/null
+++ b/testcases/kernel/mem/thp/thp01.c
@@ -0,0 +1,102 @@
+/*
+ * This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
+ * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
+ *
+ * "Transparent hugepages can only be created if rmap is fully
+ * functional. So we must prevent hugepages to be created while
+ * is_vma_temporary_stack() is true."
+ *
+ * It will cause a panic something like this, if the patch didn't get applied:
+ *
+ * kernel BUG at mm/huge_memory.c:1260!
+ * invalid opcode: 0000 [#1] SMP
+ * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
+ * ....
+ *
+ * Copyright (C) 2010  Red Hat, Inc.
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * Further, this software is distributed without any warranty that it
+ * is free of the rightful claim of any third person regarding
+ * infringement or the like.  Any license provided herein, whether
+ * implied or otherwise, applies only to this software file.  Patent
+ * licenses, if any, provided herein do not apply to combinations of
+ * this program with other software, or any other product whatsoever.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+#include "test.h"
+#include "usctest.h"
+#include "config.h"
+
+char *TCID = "thp01";
+int TST_TOTAL = 1;
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/resource.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+int main(int argc, char **argv)
+{
+	int i, lc, st;
+	pid_t pid;
+	char *msg;
+	char *c[257];
+	char cc[32*4096];
+	struct rlimit rl = {
+		.rlim_cur = RLIM_INFINITY,
+		.rlim_max = RLIM_INFINITY,
+	};
+
+	if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)
+		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
+
+	for (lc = 0; TEST_LOOPING(lc); lc++) {
+		switch (pid = fork()) {
+			case -1:
+				tst_brkm(TBROK|TERRNO, NULL, "fork");
+			case 0:
+				memset(cc, 'c', 32*4096-1);
+				cc[32*4096-1] = '\0';
+
+				for (i=0;i<256;i++)
+					c[i] = cc;
+				if (setrlimit(RLIMIT_STACK, &rl) == -1) {
+					perror("setrlimit");
+					exit(1);
+				}
+				if (execve("/bin/true", c, c) == -1) {
+					perror("execve");
+					exit(2);
+				}
+			default:
+				if (waitpid(pid, &st, 0) == -1)
+					tst_brkm(TBROK|TERRNO, NULL, "waitpid");
+
+				if (!WIFEXITED(st))
+					tst_brkm(TBROK, NULL, "child exits abnormally");
+
+				if (WEXITSTATUS(st) == 2)
+					tst_brkm(TBROK, NULL, "Do you have /bin/true installed?");
+
+				if (WEXITSTATUS(st) != 0)
+					tst_brkm(TBROK, NULL, "chaild exits with non-zero value");
+
+				tst_resm(TPASS, "thp01 pass");
+		}
+	}
+
+        tst_exit();
+}
-- 
1.7.4.2


[-- Attachment #3: Type: text/plain, Size: 250 bytes --]

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

[-- Attachment #4: Type: text/plain, Size: 155 bytes --]

_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list